[Previous entry: "Another critical patch update news article - In German"] [Next entry: "Alexander Korbrusts upcoming Oracle security bugs"]
Alexander Kornbrust has an advisory for CPU - January 2005
January 19th, 2005 by Pete
Post to del.icio.us
Post to Furl
My good friend Alex Kornbrust has added an advisory for Critical Patch Update (CPU) - January 2005 to his website. The advisory is titled "Buffer Overflow in Create Database Link in Oracle8i - 9i" and details a bug Alex found in April 2003. Alex has found that any user with the ability to create a DATABASE LINK can crash the database. The workaround Alex suggests is to revoke the CREATE DATABASE LINK system privilege from the CONNECT role.
I would suggest a better solution is to revoke the CONNECT ROLE from all users that have been granted it and to then create a more realistic connect role for general users and grant that instead. You can find which users have CREATE DATABASE LINK system privileges with my script who_has_priv.sql and you can also find out who has been granted the CONNECT ROLE with my script who_has_role.sql.
More about Alex's site later.
